Enumerating subdomain when performing recon (or asset identification) is a task that you will (and should) perform regularly.

Methods

Scraping
Brute-force
Alterations & permutations of already known subdomains

Online DNS tools

spyse [https://spyse.com/tools/subdomain-finder]
nmmapper [https://www.nmmapper.com/sys/tools/subdomainfinder/]